You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Hernan Bay Area Guy <he...@yahoo.com> on 2006/02/02 02:20:07 UTC

Digital signatures on AXIS?

Hello,

We have a prototype SOAP server running on AXIS 1.3
and would like to add client authentication using
digital signature.

I didn't find much information on the web, some
articles from 2002 or so mostly. According to these
articles, we need to use XML signatures, and
intercepti the messages before they reach the SOAP
engine itself to verify that the signature matches.

I'm still doing some research on this, but it's not
obvious to me how to tell the SOAP engine something
like "this message was signed by John Smith". We need
this type of functionality to be able to manage user's
permissions adequately of course.

We would like to avoid re-inventing the (square)
wheel, so pointers to articles / books on the subject,
and also any comments on how do you all implement
digital signatures on AXIS are much appreciated.

Many thanks in advance!

-- Hernan


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: Digital signatures on AXIS?

Posted by Anne Thomas Manes <at...@gmail.com>.

See http://ws.apache.org/wss4j/.

On 2/1/06, Hernan Bay Area Guy <he...@yahoo.com> wrote:
>
>
> Hello,
>
> We have a prototype SOAP server running on AXIS 1.3
> and would like to add client authentication using
> digital signature.
>
> I didn't find much information on the web, some
> articles from 2002 or so mostly. According to these
> articles, we need to use XML signatures, and
> intercepti the messages before they reach the SOAP
> engine itself to verify that the signature matches.
>
> I'm still doing some research on this, but it's not
> obvious to me how to tell the SOAP engine something
> like "this message was signed by John Smith". We need
> this type of functionality to be able to manage user's
> permissions adequately of course.
>
> We would like to avoid re-inventing the (square)
> wheel, so pointers to articles / books on the subject,
> and also any comments on how do you all implement
> digital signatures on AXIS are much appreciated.
>
> Many thanks in advance!
>
> -- Hernan
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

Re: Digital signatures on AXIS?

Posted by Hernan Bay Area Guy <he...@yahoo.com>.

Thanks for the replies, will check the links you sent!

-- Hernan



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

RE: Digital signatures on AXIS?

Posted by glenn bech <gl...@webstep.no>.

In my opinion, this is a bit more complex than just setting up Axis the
right way. 

If you need to do such things as "This message was signed by john smith",
you will need some kind of PKI infrastructure. 

You have to think of how you store and distribute your keys. How will
'client A' be able to reach client 'B's public' certificate for message
validation? 

If you want to go down this path, I found some articles on how to build axis
that way here ;

" This is needed for Axis to support signed and encrypted messages (as
opposed to unsigned messages over HTTPS, which is different)"

http://ws.apache.org/axis/java/building-axis.html
http://xml.apache.org/security/

However,  if you don't want to set-up the key infrastracuture, a strategy
for unsigned XML messages over HTTPS could still meet your need. 

Ask me if anything of this is unclear.

Best regards,

Glenn





-----Original Message-----
From: Hernan Bay Area Guy [mailto:hernanbay@yahoo.com] 
Sent: 2. februar 2006 02:20
To: axis-user@ws.apache.org
Subject: Digital signatures on AXIS?


Hello,

We have a prototype SOAP server running on AXIS 1.3
and would like to add client authentication using
digital signature.

I didn't find much information on the web, some
articles from 2002 or so mostly. According to these
articles, we need to use XML signatures, and
intercepti the messages before they reach the SOAP
engine itself to verify that the signature matches.

I'm still doing some research on this, but it's not
obvious to me how to tell the SOAP engine something
like "this message was signed by John Smith". We need
this type of functionality to be able to manage user's
permissions adequately of course.

We would like to avoid re-inventing the (square)
wheel, so pointers to articles / books on the subject,
and also any comments on how do you all implement
digital signatures on AXIS are much appreciated.

Many thanks in advance!

-- Hernan


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com